Hi Michael,
Normally it should work as Rene has previously explained because the direction doesn’t matter for the ASA, the only thing that matters is what to translate. If you want that the request is sourced from the inside, you can specify “unidirectional” by end of the command of nat(inside,outside) static so the destination addresses cannot initiate traffic to the source addresses.
Hope this can help.
I need help please
I am using the same topology but but unable to telnet 192.168.2.200 there is an an error % Connection timed out; remote host not responding
Hello Naveed
Make sure that all of the commands you have entered are as described in the lesson. Keep in mind also that you will require the use of an access list to allow the traffic to go through, otherwise it will be dropped. Specifically, for ASA versions before 8.3, you will need to issue the following command:
ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host 192.168.1.1
For version 8.3 and later, you will have to substitute the “real” IP address for the “NAT translated” address. So the command would look like this:
ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host 192.168.2.200
Depending on the version you have, you should put in the appropriate command.
Try it out and let us know your results!
I hope this has been helpful!
Laz
Thanks sorted out this problem 
Hi,
ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200
Let’s say I have one more subnet 192.168.3.0 wants to nat DMZ host 192.168.1.10 in the same scenario.What we have to do in this case?
Thanks
Hi Sims,
You want users in 192.168.3.0 to reach 192.168.1.10 through 192.168.2.200? Where is your 192.168.3.0 subnet located?
Rene
Hi,
I’ ll advertise the network in the internet edge router .
and create static route to asa
In asa do nat
ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.3.200
Thanks
This will make your host at 192.168.1.1 reachable through 192.168.3.200 yes.
Hi Rene,
This demonstrates that each IP address in the pool is translated to the “same” IP address in the DMZ. For example:
10.10.10.1 > 192.168.1.1
10.10.10.3 > 192.168.1.3
10.10.10.200 > 192.168.1.200
etc.
How is this gonna happen exactly 10.1 to 1.1, 10.2 to 1.2 etc…?
What if we have more than 255 servers hosted in our DMZ, i.e. pool of ip exhausted?
Hi Siva,
The ASA tries to do a 1:1 mapping, here’s a quick example:
R2#telnet 10.10.10.55
ASA1#
nat: untranslation - OUTSIDE:10.10.10.55/23 to DMZ:192.168.1.55/23 (xp:0x00007f84fc2ea0c0, policy:0x00007f84fda09fd0)
You can see it translates 10.10.10.55 to 192.168.1.55. Here is another example:
ASA1#
nat: untranslation - OUTSIDE:10.10.10.88/23 to DMZ:192.168.1.88/23 (xp:0x00007f84fc2ea0c0, policy:0x00007f84fda09fd0)
Same thing for .88.
This is a 1:1 static NAT so if you don’t have enough IP addresses in your pool, you’ll need to use PAT (port forwarding) instead.
Rene
Do the above examples define static nat bi-directional?
Also If it translates to IP address in DMZ, what will the packet be like this since IP is already assigned to the host?
We are translating 192.168.2.200 to 192.168.1.1 to reach the same…normally as explained is translating adress is equal to the webserver ip… in am confused
Hi Pavan,
This is not bi-directional NAT since we only translate one address here. If you use static NAT then you have a 1:1 relation, you can’t use the IP address for any other devices. If that’s what you want, you need to use PAT instead.
As to why we translate like this. Imagine the outside IP address is not 192.168.2.254 but some public IP address. If you want the web server to be reachable from the outside world, you’ll have to use NAT since the web server is using a private IP address.
I’m new here, how can I save a lesson or add it to favorite list please ?
Thanks
Hello Moussa,
We have a member ideas list here where you can create new ideas or vote on others:
Rene
Hi Rene,
When you say the direction does not matter,does that mean that writing the command like (inside,outside) or (outside,inside) becomes irrelevant.If i compare what you explain when the outside client wants to connect to DMZ server inside,your nat statement is
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200
whereas on this link under the second example
NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)
Step 5
Configure static NAT for the web server.
hostname(config-network-object)# nat (outside,inside) static 10.1.2.20
its the other way round???Please explain.
Hello Naila
Let’s look again at the example that Rene was referring to:
ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200
This statement will cause a translation from host 192.168.1.1 which is on the DMZ to be translated to a static external IP address of 192.168.2.200. This translation functions both ways, meaning that when 192.168.1.1 communicates with devices on the outside, the source address of this communication will be translated to 192.168.2.200, and when any outside devices communicate with 192.168.2.200, this destination address will be translated to 192.168.1.1.
This does not mean that we can switch the DMZ and OUTSIDE keywords in the NAT command and get the same result. The results will indeed be different.
For example, if the following was configured;
ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (OUTSIDE, DMZ) static 192.168.2.200
This statement will cause a translation from host 192.168.1.1 which is on the OUTSIDE to be translated to a static IP address of 192.168.2.200 on the DMZ. This means that when 192.168.1.1 communicates with devices on the DMZ, the source address of this communication will be translated to 192.168.2.200, and when any DMZ devices communicate with 192.168.2.200, this destination address will be translated to 192.168.1.1.
I hope this has been helpful!
Laz
Thanks,i think it makes sense now.By flipping the order inside(inside,outside)will change the whole meaning of the direction of the traffic and also the respective natting.
One more question.
When we define a Static Host Entry on the inside and refer to it in the Nat statement,are we saying it will use the Host Ip address.
e.g
object network myServer
host 192.168.1.1
nat(inside,outside)static 10.10.10.100
does this mean that the nat statement already knows the when we type “inside”,it should pick the IP address from the Object Network to be used as the Source.??
I get the idea but just want to confirm the flow of the how to read the NAT statement.
If the traffic was coming from outside to this Webserver,the above should still work as its Bidirectional.
Am i right…??
Thanks